In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - resolve race condition during AER recovery
During the PCI AER system's error recovery process, the kernel driver may encounter a race condition with freeing the resetdata structure's memory. If the device restart will take more than 10 seconds the function scheduling that restart will exit due to a timeout, and the resetdata structure will be freed. However, this data structure is used for completion notification after the restart is completed, which leads to a UAF bug.
This results in a KFENCE bug notice.
BUG: KFENCE: use-after-free read in adfdeviceresetworker+0x38/0xa0 [intelqat] Use-after-free read at 0x00000000bc56fddf (in kfence-#142): adfdeviceresetworker+0x38/0xa0 [intelqat] processonework+0x173/0x340
To resolve this race condition, the memory associated to the container of the workstruct is freed on the worker if the timeout expired, otherwise on the function that schedules the worker. The timeout detection can be done by checking if the caller is still waiting for completion or not by using completiondone() function.
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7", "target": { "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Line", "deprecated": false, "digest": { "line_hashes": [ "75780933439391238251761850211360200997", "323730267805494544258945458979694962033", "43995140115722996421288930320974286620", "103021514939207054577116720270836107867", "189572394632585660235695157066640945446", "196879216231677901091686545114295570860", "41596924095884029706475013234821657662", "103283120440389303449206368082975275381", "126116700405644362009660060231235372988", "209804320929020035572698300566048516657", "297300229351634770021222080463715082799", "180601683722982782397744260109971655611", "83655711366303631311960191131170538708", "203985233444505479636113949096814648202", "15946555763033551051143503800657384424", "252717839618407277002464804298240479029", "245205154964913647852131735606845232915" ], "threshold": 0.9 }, "signature_version": "v1", "id": "CVE-2024-26974-17b97f3c" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc", "target": { "file": "drivers/crypto/intel/qat/qat_common/adf_aer.c" }, "signature_type": "Line", "deprecated": false, "digest": { "line_hashes": [ "194185254277893586117256749989371350229", "6840915083156359841429044459280193294", "43995140115722996421288930320974286620", "103021514939207054577116720270836107867", "189572394632585660235695157066640945446", "196879216231677901091686545114295570860", "41596924095884029706475013234821657662", "103283120440389303449206368082975275381", "126116700405644362009660060231235372988", "209804320929020035572698300566048516657", "297300229351634770021222080463715082799", "180601683722982782397744260109971655611", "83655711366303631311960191131170538708", "203985233444505479636113949096814648202", "15946555763033551051143503800657384424", "252717839618407277002464804298240479029", "245205154964913647852131735606845232915" ], "threshold": 0.9 }, "signature_version": "v1", "id": "CVE-2024-26974-196f8e18" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc", "target": { "function": "adf_dev_aer_schedule_reset", "file": "drivers/crypto/intel/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "266379697748115726347995385038215425014", "length": 799.0 }, "signature_version": "v1", "id": "CVE-2024-26974-284133f7" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7", "target": { "function": "adf_device_reset_worker", "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "110393565819693925793970337772966904771", "length": 695.0 }, "signature_version": "v1", "id": "CVE-2024-26974-426cad61" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4ae5a97781ce7d6ecc9c7055396535815b64ca4f", "target": { "function": "adf_dev_aer_schedule_reset", "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "266379697748115726347995385038215425014", "length": 799.0 }, "signature_version": "v1", "id": "CVE-2024-26974-44e3e502" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb279ead42263e9fb09480f02a4247b2c287d828", "target": { "function": "adf_dev_aer_schedule_reset", "file": "drivers/crypto/intel/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "266379697748115726347995385038215425014", "length": 799.0 }, "signature_version": "v1", "id": "CVE-2024-26974-4efc77e4" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7d42e097607c4d246d99225bf2b195b6167a210c", "target": { "file": "drivers/crypto/intel/qat/qat_common/adf_aer.c" }, "signature_type": "Line", "deprecated": false, "digest": { "line_hashes": [ "194185254277893586117256749989371350229", "6840915083156359841429044459280193294", "43995140115722996421288930320974286620", "103021514939207054577116720270836107867", "176045294979152183217564342138737193841", "196879216231677901091686545114295570860", "41596924095884029706475013234821657662", "103283120440389303449206368082975275381", "126116700405644362009660060231235372988", "209804320929020035572698300566048516657", "297300229351634770021222080463715082799", "180601683722982782397744260109971655611", "83655711366303631311960191131170538708", "203985233444505479636113949096814648202", "15946555763033551051143503800657384424", "252717839618407277002464804298240479029", "245205154964913647852131735606845232915" ], "threshold": 0.9 }, "signature_version": "v1", "id": "CVE-2024-26974-585821dd" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7", "target": { "function": "adf_dev_aer_schedule_reset", "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "266379697748115726347995385038215425014", "length": 799.0 }, "signature_version": "v1", "id": "CVE-2024-26974-6528213b" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8e81cd58aee14a470891733181a47d123193ba81", "target": { "function": "adf_device_reset_worker", "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "110393565819693925793970337772966904771", "length": 695.0 }, "signature_version": "v1", "id": "CVE-2024-26974-73c63936" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7d42e097607c4d246d99225bf2b195b6167a210c", "target": { "function": "adf_dev_aer_schedule_reset", "file": "drivers/crypto/intel/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "266379697748115726347995385038215425014", "length": 799.0 }, "signature_version": "v1", "id": "CVE-2024-26974-745a3e7e" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4ae5a97781ce7d6ecc9c7055396535815b64ca4f", "target": { "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Line", "deprecated": false, "digest": { "line_hashes": [ "75780933439391238251761850211360200997", "323730267805494544258945458979694962033", "43995140115722996421288930320974286620", "103021514939207054577116720270836107867", "189572394632585660235695157066640945446", "196879216231677901091686545114295570860", "41596924095884029706475013234821657662", "103283120440389303449206368082975275381", "126116700405644362009660060231235372988", "209804320929020035572698300566048516657", "297300229351634770021222080463715082799", "180601683722982782397744260109971655611", "83655711366303631311960191131170538708", "203985233444505479636113949096814648202", "15946555763033551051143503800657384424", "252717839618407277002464804298240479029", "245205154964913647852131735606845232915" ], "threshold": 0.9 }, "signature_version": "v1", "id": "CVE-2024-26974-759779ef" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d03092550f526a79cf1ade7f0dfa74906f39eb71", "target": { "function": "adf_device_reset_worker", "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "110393565819693925793970337772966904771", "length": 695.0 }, "signature_version": "v1", "id": "CVE-2024-26974-7848f63f" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc", "target": { "function": "adf_device_reset_worker", "file": "drivers/crypto/intel/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "227139195073338255250383543920847946172", "length": 637.0 }, "signature_version": "v1", "id": "CVE-2024-26974-7900759b" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d03092550f526a79cf1ade7f0dfa74906f39eb71", "target": { "function": "adf_dev_aer_schedule_reset", "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "266379697748115726347995385038215425014", "length": 799.0 }, "signature_version": "v1", "id": "CVE-2024-26974-90bd8746" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb279ead42263e9fb09480f02a4247b2c287d828", "target": { "function": "adf_device_reset_worker", "file": "drivers/crypto/intel/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "227139195073338255250383543920847946172", "length": 637.0 }, "signature_version": "v1", "id": "CVE-2024-26974-925ea4a3" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4ae5a97781ce7d6ecc9c7055396535815b64ca4f", "target": { "function": "adf_device_reset_worker", "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "110393565819693925793970337772966904771", "length": 695.0 }, "signature_version": "v1", "id": "CVE-2024-26974-95f4ff7c" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@daba62d9eeddcc5b1081be7d348ca836c83c59d7", "target": { "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Line", "deprecated": false, "digest": { "line_hashes": [ "75780933439391238251761850211360200997", "323730267805494544258945458979694962033", "43995140115722996421288930320974286620", "103021514939207054577116720270836107867", "189572394632585660235695157066640945446", "196879216231677901091686545114295570860", "41596924095884029706475013234821657662", "103283120440389303449206368082975275381", "126116700405644362009660060231235372988", "209804320929020035572698300566048516657", "297300229351634770021222080463715082799", "180601683722982782397744260109971655611", "83655711366303631311960191131170538708", "203985233444505479636113949096814648202", "15946555763033551051143503800657384424", "252717839618407277002464804298240479029", "245205154964913647852131735606845232915" ], "threshold": 0.9 }, "signature_version": "v1", "id": "CVE-2024-26974-9630e165" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7d42e097607c4d246d99225bf2b195b6167a210c", "target": { "function": "adf_device_reset_worker", "file": "drivers/crypto/intel/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "157992512134011814369114130611519245248", "length": 909.0 }, "signature_version": "v1", "id": "CVE-2024-26974-9bda88f1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb279ead42263e9fb09480f02a4247b2c287d828", "target": { "file": "drivers/crypto/intel/qat/qat_common/adf_aer.c" }, "signature_type": "Line", "deprecated": false, "digest": { "line_hashes": [ "194185254277893586117256749989371350229", "6840915083156359841429044459280193294", "43995140115722996421288930320974286620", "103021514939207054577116720270836107867", "189572394632585660235695157066640945446", "196879216231677901091686545114295570860", "41596924095884029706475013234821657662", "103283120440389303449206368082975275381", "126116700405644362009660060231235372988", "209804320929020035572698300566048516657", "297300229351634770021222080463715082799", "180601683722982782397744260109971655611", "83655711366303631311960191131170538708", "203985233444505479636113949096814648202", "15946555763033551051143503800657384424", "252717839618407277002464804298240479029", "245205154964913647852131735606845232915" ], "threshold": 0.9 }, "signature_version": "v1", "id": "CVE-2024-26974-9f1db5b3" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@daba62d9eeddcc5b1081be7d348ca836c83c59d7", "target": { "function": "adf_dev_aer_schedule_reset", "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "266379697748115726347995385038215425014", "length": 799.0 }, "signature_version": "v1", "id": "CVE-2024-26974-a3fba1c1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8e81cd58aee14a470891733181a47d123193ba81", "target": { "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Line", "deprecated": false, "digest": { "line_hashes": [ "75780933439391238251761850211360200997", "323730267805494544258945458979694962033", "43995140115722996421288930320974286620", "103021514939207054577116720270836107867", "189572394632585660235695157066640945446", "196879216231677901091686545114295570860", "41596924095884029706475013234821657662", "103283120440389303449206368082975275381", "126116700405644362009660060231235372988", "209804320929020035572698300566048516657", "297300229351634770021222080463715082799", "180601683722982782397744260109971655611", "83655711366303631311960191131170538708", "203985233444505479636113949096814648202", "15946555763033551051143503800657384424", "252717839618407277002464804298240479029", "245205154964913647852131735606845232915" ], "threshold": 0.9 }, "signature_version": "v1", "id": "CVE-2024-26974-a551c131" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@daba62d9eeddcc5b1081be7d348ca836c83c59d7", "target": { "function": "adf_device_reset_worker", "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "110393565819693925793970337772966904771", "length": 695.0 }, "signature_version": "v1", "id": "CVE-2024-26974-a73b3c48" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d03092550f526a79cf1ade7f0dfa74906f39eb71", "target": { "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Line", "deprecated": false, "digest": { "line_hashes": [ "75780933439391238251761850211360200997", "323730267805494544258945458979694962033", "43995140115722996421288930320974286620", "103021514939207054577116720270836107867", "189572394632585660235695157066640945446", "196879216231677901091686545114295570860", "41596924095884029706475013234821657662", "103283120440389303449206368082975275381", "126116700405644362009660060231235372988", "209804320929020035572698300566048516657", "297300229351634770021222080463715082799", "180601683722982782397744260109971655611", "83655711366303631311960191131170538708", "203985233444505479636113949096814648202", "15946555763033551051143503800657384424", "252717839618407277002464804298240479029", "245205154964913647852131735606845232915" ], "threshold": 0.9 }, "signature_version": "v1", "id": "CVE-2024-26974-ba15d7b5" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8e81cd58aee14a470891733181a47d123193ba81", "target": { "function": "adf_dev_aer_schedule_reset", "file": "drivers/crypto/qat/qat_common/adf_aer.c" }, "signature_type": "Function", "deprecated": false, "digest": { "function_hash": "266379697748115726347995385038215425014", "length": 799.0 }, "signature_version": "v1", "id": "CVE-2024-26974-c28500c4" } ]